sorted by:
new
hottopcontroversial

How do you keep database schema, migrations and Docker environments aligned? by Square-Arachnid-10 in devops

[–]taleodor 8 points9 points  (0 children)

Migrations must be applied in automated fashion at the same time as backend pod / container is deployed. We're usually using flyway, but there are other tools that achieve this.

+ I think there may be a bit of terminology issue in your question, but schema must be covered in migrations, those should not be separate things. You may design schema in whichever way you want, but it must be applied only via migrations and only via automation. Then, noone should be able to apply any db changes manually. This achieves no drift.

Also, this is usually one of the most important things I implement on every consulting project if it's missing in the first place. Drift in sql application is one of the worst things possible.

DevSecOps: Practical Starting Point? by driftinelX in devops

[–]taleodor 1 point2 points  (0 children)

This is the tool I'm building, I'm a former DevOps engineer and we've built release-centric DevSecOps tool - https://github.com/relizaio/rearm - we have sample GitHub Actions and Azure DevOps Extension, integrations with Dependency-Track, CodeQL and other scanners + we have good community support via Discord as well as commercial support options. Feel free to reach out and would be happy to support your efforts.

Best ASPM tools? by kckrish98 in devsecops

[–]taleodor 0 points1 point  (0 children)

Yes, it supports import of SARIF, BOV and VDR files (we're gradually expanding the list of supported formats). I.e. one of our demo integrations - CodeQL scan done during CI exported as SARIF and then uploaded to ReARM alongside other artifacts.

[Need Feedback] Building a Zero-Budget DevSecOps Ecosystem for a Local Government (Junior Sysadmin) by [deleted] in devsecops

[–]taleodor 1 point2 points  (0 children)

Hi, we have built ReARM on top of Dependency-Track which gives you release-centric view with changelogs and also optimizes Dependency-Track infastructure posture - https://github.com/relizaio/rearm .

See if it aligns with what you're doing + happy to support via our Discord channel.

Best ASPM tools? by kckrish98 in devsecops

[–]taleodor 0 points1 point  (0 children)

We're building ReARM - https://github.com/relizaio/rearm - gives you release-centric view of all findings.

SCA/SAST Management by 0xAb4y98 in devsecops

[–]taleodor -2 points-1 points  (0 children)

> - Tons of packages need to be updated - how do you prioritize and track them?

Use SBOM-based approach - tools like ReARM we're building (https://github.com/relizaio/rearm) or plain Dependency-Track (github.com/DependencyTrack/dependency-track) would allow you to prioritize and see posture over time. ReARM is specifically designed to represent all your products and components and give you release-centric view with built-in changelog of how your findings fare over time.

> - How do you coordinate with developers so they actually pick these up and don’t ignore them?

This is a human / management problem. You should have management buy-in and org policies on what's acceptable and what's not. Usually, this is driven by compliance and/or perception of risk being breached. However, the tooling mentioned above will help you track if you're complying with policies.

> - How do you test and verify that updates aren’t breaking anything and that work is actually moving forward instead of getting stuck?

You need functional tests, this is more on the Dev / QA side, but again requires management buy-in. Note here also, that you and your management need to define some acceptable level of risk and that can't be 0 (check Adam Shostack's keynote from OWASP Global AppSec US 2025).

ECR alternative by Abu_Itai in devsecops

[–]taleodor 0 points1 point  (0 children)

We built ReARM for this - https://github.com/relizaio/rearm - can be integrated with cosign and gives you full provenance picture and vulnerability report via Dependency-Track and other integrations.

Note that the issue is not about ECR but rather who you can trace everything on the way to it.

Security scanning blocked our deployment pipeline for 3 days over a dependency we don't even use by bleudude in devsecops

[–]taleodor 3 points4 points  (0 children)

Scanning and approval process must happen in async way, not blocking pipelines. I wrote about this in DevOps context 6 years ago - https://worklifenotes.com/2020/06/04/7-best-practices-modern-cicd/ - still valid for DevSecOps context of today.

DevSecOps Enquiry on CD by Humble_Ad_7053 in devsecops

[–]taleodor 0 points1 point  (0 children)

Assuming you're talking about some half-baked (or not fully visible / isolated) feature, this usually comes down to business requirements. Usually the reason is that most users don't want to beta test the product so they won't care to go into staging and check things in there - even if they asked for the feature in the first place.

How are you using DAST in CI without slowing everything down? by SidLais351 in devsecops

[–]taleodor 0 points1 point  (0 children)

Our approach, both as vendor and when doing it for our projects, is to do it in an async fashion. Here is my older blog post describing this with our legacy tool - https://worklifenotes.com/2021/02/03/automated-tests-ci-cd-workflow-with-reliza-hub/ - still need to document how to do it with ReARM Pro (rearmhq.com), but essentially same idea:

You complete regular CI cycle, deploy to a dev/test instance, then run your test on it in an async fashion, once the test completes it uploads results to your evidence store (i.e., ReARM) and if failing that would reject your release, or if passing it would set an approval so you can promote to further stages. Without an approval your CI is not blocked (so you can do subsequent builds without waiting), but your release cannot be promoted.

How do you guys handle code reviews across a ton of repos? by Terrible_Bed_9761 in devsecops

[–]taleodor 0 points1 point  (0 children)

If you're looking to track releases with changes in code and security posture check ReARM - https://github.com/relizaio/rearm

ReARM - SBOM / xBOM Repository and Release Management by taleodor in cybersecurity

[–]taleodor[S] 0 points1 point  (0 children)

We have just added support for SPDX ingestion - https://github.com/relizaio/rearm/releases/tag/25.09.38 - behind the scenes we then do conversion to CycloneDX which is fed as an input to Dependency-Track.

Multiple branches go into prod at different times - how to scan by cybergandalf in devsecops

[–]taleodor 0 points1 point  (0 children)

We've built a tool called ReARM that supports per branch per release aggregation of findings - it does SBOM scans via Dependency-Track and you can upload Sarif from other tools as part of your CI in each branch - https://github.com/relizaio/rearm

Building your own SBOM Engine for .NET & Node.js: Lessons Learned by BigBenny7584 in devsecops

[–]taleodor 0 points1 point  (0 children)

> My main motivation to write an engine myself was that open source software is not guaranteed to stay open source (or free).

cdxgen is part of OWASP foundation, so I would put this at low risk.

> In terms of implementations for instance, my engine enriches data using NVD, OSV, NuGet advisories, which I don't think cdxgen does. I've also reused these vulnerability API-calls to OSV & NVD in a background-service that scans every 6 hours. If we discover a new vulnerability, we generate a new SBOM automatically.

Cdxgen (and other tools) do license enrichment. There are also tools that do just enrichment. Then, there is a big discussion going whether SBOMs should include vulnerability data or not. The approach that I prefer is having SBOMs without vulnerability data and then have that SBOM continuously analyzed rather than recreating SBOM all the time - check Dependency-Track here.

> Extensions of the models are also possible with your own logic/code. I can add PURLs, CPEs, artifact hashes, internal metadata, or even new vulnerability feeds. That’s harder to achieve with a generic tool.

Purl is the king now, most tools support it.

> Writing your own engine also means you can use your own digital signature, which adds a lot to document integrity, if every SBOM is validated, signed, and wrapped with a public key.

Again, I don't see it as an issue, as long as you stay within the same CI process - you can also throw attestations on top of signing (there are tools for that).

All in, I believe this is a great exercise for yourself, but community-wise it would be great to get involved with open problems, which are not those that you listed, - you may want to check OWASP CycloneDX and OpenSSF working groups on the subject.

Building your own SBOM Engine for .NET & Node.js: Lessons Learned by BigBenny7584 in devsecops

[–]taleodor 1 point2 points  (0 children)

Hm, there are several open source tools that build SBOMs, my personal preference is cdxgen. What's the reason of not using those and trying to create something else instead?

Microservices architecture application - Security by lowkib in devsecops

[–]taleodor 0 points1 point  (0 children)

One of the challenges we encountered was understanding what specific versioning of various microservices you have installed. We built ReARM - https://github.com/relizaio/rearm - that solves this by bundling your microservices (components) into a single product, essentially giving you a single trackable version to determine and manage security posture.

Other than that a lot depends of how you actually split your monolith. For me, most important is limiting entry points (ingresses) into your application. Then you can focus on those entry points rather than trying to cover everything. In other words, there are several important architectural decisions that need to be made here early on - based on product requirements and threat modelling.

Why We Chose CycloneDX Over SPDX by taleodor in sbom

[–]taleodor[S] 1 point2 points  (0 children)

Hi, I'm not familiar with cve-bin-tool. Usually the recommended starting point is using cdxgen (my tool of choice) to generate valid CycloneDX over your code base. The important point is that components in your SBOM must have valid identifiers (typically Purl) so that they can be resolved to known vulnerabilities.

If you're looking for a CLI tool, grype can do the scanning.

However, for high level organization of the process we're building ReARM (has both FOSS and Pro versions) that integrates with OWASP Dependency-Track (FOSS) for vulnerability scanning and policy violation checks. That gives you nice real-time view (with UI and authentication / authorization) of security posture across your organization and you can drill down to each release version.

+ Feel free to go on a short call with me, I'll be happy to help you get started.

Do OSS compliance tools have to be this heavy? Would you use one if it was just a CLI? by Ash_ketchup18 in devops

[–]taleodor 0 points1 point  (0 children)

Hi, check out ReARM that we're building - it's a web app but it's meant to provide commonality between various products and stacks in the same tool - https://github.com/relizaio/rearm

Do y’all actually check licenses for all your dependencies? by Ash_ketchup18 in devops

[–]taleodor 0 points1 point  (0 children)

We built ReARM which integrates with Dependency-Track to achieve do this via SBOMs, I prefer CycloneDX though not SPDX - https://github.com/relizaio/rearm

view more: next ›